Electronic signature verification method and system

ABSTRACT

In an electronic signature verification method, in order to perform optimum verification while coping with variations in signatures of an individual, data of a handwritten character string of a signer are fetched and compared with registration signature data set in advance; and a verification judgment is performed by use of separate regions including a region in which the signature is recognized to be true, a region in which the signature is not recognized to be true, and an intermediate region in which re-signing is requested due to impossibility of judgment. The region in which the signature is recognized to be true and the intermediate region in which re-signing is requested are determined on the basis of the distribution of cumulative errors between the registration signature data and the plurality of signature data sets for registration, such that the region in which the signature is recognized to be true becomes wider when the distribution is wide and becomes narrower when the distribution is narrow and such that the intermediate region becomes wider when the distribution is wide and becomes narrower when the distribution is narrow.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a method of verifying an electronicsignature. More particularly, the present invention relates to a methodin which a degree of difference (cumulative error) between registeredsignature data and signature date to be verified is obtained duringverification, and a signer is authenticated on the basis of the degreeof difference, as well as to a method and apparatus forelectronic-tablet correction.

2. Discussion of the Background

A handwritten character recognition method by which written charactersare recognized has been utilized as an input method for word processorsor a signature verification method for specifying a writer. Under ahandwritten character recognition method which has already been inactual use as an input method, characters are input under specifiedconstraints on the style of typeface (e.g., in the style of Kaisho inthe case of Japanese), and the thus-input characters are converted intocoordinate information. The thus-converted coordinate information isverified by comparison with coordinate information relating to characterdata which have been stored beforehand. As a result of verification, thecharacters are recognized as matched. If characters are carefullywritten in the kaisho style at comparatively slow speed in the manner aspreviously described, the characters can be sufficiently recognizedthrough use of only coordinate information because under such conditionseach of the strokes of the characters becomes clear by virtue of visualfeedback to the writer and hence the shape of the characters becomesstable.

In contrast, in a case where the character recognition method is appliedto an input method which does not pose any restriction on the style oftypeface at the time of input of characters or to a signatureverification method, there must be recognized not only characterswritten in the kaisho style but also cursively written characters. Whencharacters are cursively written, writing motion becomes faster and doesnot involve any substantial visual feedback to the writer. In this case,the characters become less identifiable, and separation of a resultantlyacquired pattern into strokes becomes difficult. Further, due to a largeexpansion or contraction of the pattern in the direction of the timeaxis or in the direction of stroke and/or the difference between theinput pattern and a pre-registered pattern in these directions, amatching rate is extremely low, rendering recognition of charactersdifficult.

Another method is to enable recognition of characters without involvingthe separation of characters into strokes by application of time-seriescoordinate information and writing pressure. This method employs-apattern matching technique called dynamic programming (DP) matching,which takes into consideration variations in the coordinate informationstemming from variations in writing action.

In the DP matching technique, variations in the writing motion arecorrected with regard to the time axis or the arc length axis throughuse of a skew function which minimizes a cumulative error betweenpatterns to be checked. Patterns are matched with each other on thebasis of the coordinates and writing pressure that have been correctedso as to compensate variations in the writing motion, thereby enablingrecognition of cursively handwritten characters.

Verification based on the addition of writing-pressure information totime-series coordinate information or normalization of input patterns byDP matching contributes to an improvement in the recognition rate ofhandwritten characters. However, in the case of application of the DPmatching technique to recognition of cursively written characters orsignature verification, a false signature may be erroneously recognizedas a genuine signature. Therefore, in its present form, the DP matchingtechnique cannot be put into practical use.

Japanese Patent No. 1,822,532 [Japanese Patent Publication (kokoku) No.5-31798] entitled “A Method of Recognizing Handwritten CharactersOnline” describes a practical technique that is based on DP matching.Under this method, when the degree of difference between a registeredpattern and an input pattern of handwritten characters is calculated byuse of DP matching, time-series coordinate information andwriting-pressure information are simultaneously processed by theassignment of optimum weighting coefficients to the time-seriescoordinate information and writing-pressure information. As a result,the difference is reduced, which in turn contributes to an improvementin the verification rate of authenticity and a reduction in processingtime.

As mentioned previously, even in the case of unclear characters whichcannot be separated into strokes, processing of the time-seriescoordinate information and writing-pressure information relating tohandwritten characters enables recognition of the characters. Further,even in the case of cursively handwritten characters, the characters canbe recognized in practice, as a result of a further improvement in theDP matching technique that compensates variations in writing motion inorder to correct cumulative errors.

In a static signature verification system, an image scanner or an imageOCR is used as a tool for reading characters. In contrast, in a dynamicsignature verification system, a stylus pen is generally used. Anappearance of such a dynamic signature verification system utilizing astylus pen is shown. When characters are written on a tablet through useof a stylus pen, signals representing characters are sent to averification section, where signature verification is performed.

Such a tablet and stylus pen are important devices that affect easinessof use. Therefore, recently these devices have been improved. Forexample, a tablet formed from a liquid-crystal panel and a wirelessstylus pen having no signal cable have come into use. Further, in placeof a piece of hardware dedicated to signature verification, a personalcomputer has come into use. In this case, signature verification isperformed by software.

The processing performed in the verification section is composed ofthree steps; i.e., pre-processing/normalization, character extraction,and recognition/judgment. Information from the stylus pen includesrelative coordinates (x, y) relative to the start point of a signature,and writing pressure p.

Since handwritten characters are not necessarily consistent,verification of a signature involves difficulty caused by variation inthe direction of writing and in size, and hardware noise. Thepre-processing/normalization removes these variations and noise andperforms normalization in order to enable comparison with standardcharacter patterns. Specifically, in the pre-processing, there areperformed removal of excess series of points (sampling based on amountof relative movement), removal of random noise that depends on handshake and resolution of a tablet (smoothing through load shift), removalof isolated data caused by erroneous operation of the tablet, and likeoperations. After completion of such pre-processing, the size andposition of input characters are normalized. Subsequent to theabove-described processing, characteristics of the characters areextracted, and recognition/judgment processing is performed.

The above-described method for verifying electronic signatures isrealistic and practical. However, such signature verification involvesmany drawbacks to be solved. One of the drawbacks is that a signature isnot necessarily consistent.

Handwriting of a signature varies depending on the mental state of theperson signing and the circumstances under which the person signs. Howcan we authenticate a person while absorbing such variations? How can weavoid a possibility that a third person whose imitates the handwritingof a certain person is authenticated as the certain person? Thesedifficulties result in two types of errors in relation to signatureverification; i.e., an error in which a certain person is judged to beanother person (exclusion of the true person) and an error in which aperson other than a certain person is judged to be the certain person(authentication of another person).

In signature verification, a person inputs signature data by signing onan electronic tablet by use of an electronic pen, which data arecollated with previously registered signature data of the person bymeans of DP matching. However, since only the shape of a signature iscollated in conventional signature verification schemes, characteristicsof an electronic tablet and an electronic pen (hereinafter referred toas a “signing device”) have not been taken into consideration.

The size, inclination, etc., of characters are not affected by thecharacteristics of the signing device, because corresponding inputsignature data are normalized. However, because the handwriting of asignature is easily imitated in shape, signature verification on thebasis of only shape is not safe. One method for solving such a problemis addition of writing-pressure information to shape information.Writing pressure cannot be determined from the appearance of a signatureand depends on characteristics of a signer. Writing pressure isdifficult for other persons to imitate. Thus, combined use ofwriting-pressure information and shape information enables stricterauthentication of a person.

In such case, differences in characteristics among signing devices causea problem. Although no problem arises when the same signing device isused, a problem arises in the current multimedia environment in whicheach person uses a signing device of a different manufacturer. In thiscase, writing-pressure information varies depending on the type of asigning device. In an exemplary case in which a person uses a signingdevice A for inputting registration signature data serving as areference for signature verification and uses a signing device B forinputting signature data to be verified, the signing devices A and Boutput different writing-pressure information even when the person hassigned with the same force. Therefore, writing-pressureinformation—which is employed because of inherent difficulty inimitation by other persons—excludes a true person as well as otherpersons.

An object of the present invention is to provide a method which solvesthe above-described problems and enables stable signature verificationwhich provides a higher matching or verification rate.

SUMMARY OF THE INVENTION

In order to solve the above-described problem, preparation ofregistration signature data, input of signature data to be verified(verification signature data), and verification taking intoconsideration characteristics of a signing device (an electronic pen oran electronic tablet) are performed in the following manner.

That is, there is provided an electronic signature verification methodin which data of a handwritten character string of a signer are fetched;registration signature data of the signer set in advance are retrieved;the data of the handwritten character string are compared with theregistration signature data; and a verification judgment is performed byuse of separate regions including a region in which the signature isrecognized to be true and a region in which the signature is notrecognized to be true. When the signer sets the registration signaturedata, the registration signature data are set, by appropriate means,from a plurality of signature data sets for registration. The region inwhich the signature is recognized to be true is determined on the basisof the distribution of cumulative errors between the registrationsignature data and the plurality of signature data sets forregistration, such that the region in which the signature is recognizedto be true becomes wider when the distribution is wide and becomesnarrower when the distribution is narrow.

There is further provided an electronic signature verification method inwhich data of a handwritten character string of a signer are fetched;registration signature data of the signer set in advance are retrieved;the data of the handwritten character string are compared with theregistration signature data; and a verification judgment is performed byuse of separate regions including a region in which the signature isrecognized to be true, a region in which the signature is not recognizedto be true, and an intermediate region in which re-signing is requesteddue to impossibility of judgment. The intermediate region in whichre-signing is requested is determined on the basis of the distributionof cumulative errors between the registration signature data and theplurality of signature data sets for registration, such that theintermediate region becomes wider when the distribution is wide andbecomes narrower when the distribution is narrow.

The above-described two methods are combined so as to provide anelectronic signature verification method in which data of a handwrittencharacter string of a signer are fetched; registration signature data ofthe signer set in advance are retrieved; the data of the handwrittencharacter string are compared with the registration signature data; anda verification judgment is performed by use of separate regionsincluding a region in which the signature is recognized to be true, aregion in which the signature is not recognized to be true, and anintermediate region in which re-signing is requested due toimpossibility of judgment, wherein the region in which the signature isrecognized to be true and the intermediate region in which re-signing isrequested are determined on the basis of the distribution of cumulativeerrors between the registration signature data and the plurality ofsignature data sets for registration, such that the region in which thesignature is recognized to be true becomes wider when the distributionis wide and becomes narrower when the distribution is narrow and suchthat the intermediate region becomes wider when the distribution is wideand becomes narrower when the distribution is narrow.

Further, in the above-described methods, data of a handwritten characterstring of a signer and signature data sets for registration may becorrected on the basis of correction information for each of differentsigning devices in order to absorb differences among the input devices.

As described above, when signature data are to be registered, a personsigns a plurality of times by use of a signing device. The thus-obtaineddata are fetched as time-series signature data including writingpressure information; characteristics which are peculiar to the signerand necessary for personal authentication are extracted in order tocreate registration signature data; and the thus-created registrationsignature data are registered in a master file. At this time, theregistration signature data are collated again with a plurality ofsignature data sets to obtain cumulative errors (degree of difference).On the basis of the distribution of errors, a security level and a grayzone (intermediate region) corresponding to the stability of signaturesof the signer are determined and registered. Further, at this time,writing-pressure information—which varies depends on the type of asigning device used—is converted into writing-pressure information of asigning device serving as a reference, in order to obtain correctioninformation for each of different signing devices. The thus-obtainedcorrection information is registered.

In the signature verification of the present invention, the sum ofabsolute values of differences between coordinate values contained inregistration signature data and coordinate values contained inverification signature data is calculated and the values are averaged soas to obtain an error for each sample point. The thus-obtained error iscalled a cumulative error (degree of difference). On the basis of thedegree of difference, a judgment is made as to whether a signature is atrue signature (i.e., a signer is recognized to be a true person)) ornot a true signature (i.e., the signer is rejected as a person otherthan the true person).

At this time, a relatively high clear line is set for a person who signsat high stability, and a relatively low clear line is set for a personwho signs at low stability. This clear line is called a “true-personexclusion line.” The lower the set value of the true-person exclusionline, the higher the security level that can be obtained; and the higherthe set value of true-person exclusion line, the lower the securitylevel that can be obtained. Data for the above-described signatureverification are stored for each person and can be retrieved at the timeof verification.

FIG. 1 is a diagram showing a cumulative-error frequency distributionand a true-person exclusion line. The horizontal axis of the coordinatesystem represents the degree of difference (cumulative error) in whichthe higher the value, the lower the probability of a signer being a trueperson, or the lower the value, the higher the probability of a signerbeing a true person. The origin O (0, 0) of the coordinate system is areference point representing registration signature data themselves.When the degree of difference between verification signature data andregistration signature data becomes zero, the verification signaturedata are judged to be identical with the registration signature data.

A curve representing the cumulative-error frequency distribution(hereinafter referred to as a “difference distribution curve”) isnormalized such that the area below the curve equals 1. A point whichbisects the area below the curve is a centroid and is typically locatedin the vicinity of a position corresponding to the peak of the curve.When the area of a region on the left side of the true-person exclusionline is represented by S₁, and the area of a region (hatched portion) onthe right side of the true-person exclusion line is represented by S₂, aprobability r of a true person being excluded can be obtained asfollows: $\begin{matrix}{r = {S_{2}/\left( {S_{1} + S_{2}} \right)}} \\{{= S_{2}},\quad {{{{because}\quad S_{1}} + S_{2}} = 1.}}\end{matrix}$

That is, a true person is recognized not to be a true person at theprobability r. Although the difference distribution varies amongpersons, the true-person exclusion line can be drawn such that theprobability r becomes constant, thereby enabling each of stable andunstable signers to be recognized as a true person at a constantprobability. However, in a simple scheme in which a signer is recognizedto be another person on the right side of the true-person exclusion lineand is recognized to be a true person on the left side of thetrue-person exclusion line, there is a high risk that a signature of aperson having a relatively low security level is imitated by otherpersons.

FIG. 2 shows a difference distribution of person A who can sign stablyand a difference distribution of person B who cannot sign stably. In thecase of this example, in order to increase the signature matching rateof person B, the true-person exclusion line for person B is drawn suchthat the area of the region on the left side of the true-personexclusion line becomes wider. This increases the possibility that anyother person who imitates a signature of the true person is recognizedto be the true person. Accordingly, there is a risk that other personscannot be excluded by mere use of a true-person exclusion line—which isintroduced in order to increase the probability of a true person beingauthenticated and which takes security level into consideration.

In order to solve this problem, the present invention employs another-person exclusion line. FIG. 3 shows the relationship between another-person exclusion line and a true-person exclusion line. A regionsandwiched between the two lines is called a gray zone. In FIG. 3, aregion on the right side of the true-person exclusion line is called atrue-person exclusion region. When a result of signature verificationindicates that a cumulative error (degree of difference) falls withinthe true-person exclusion region, the signature is recognized to besigned by a person other than the true person, even if the true personhas signed.

Meanwhile, a region on the left side of the other-person exclusion lineis called an other-person exclusion region, because signatures whosecumulative errors fall within this region can rarely be imitated byother persons. When the cumulative error falls within this region, thesigner is determined to be a true person. The meaning of exclusion ofother person will become clear upon reference to FIG. 4, which shows adifference distribution for the case in which a person other than thetrue person signs. In the graph of FIG. 4, although the value offrequency does not reach zero even on the left side of the other-personexclusion line, the value indicated by time-series signature dataincluding writing-pressure information becomes substantially zero.

The gray zone sandwiched between the true-person exclusion line and theother-person exclusion line is a vague area in which it is impossible tojudge whether a true person signed or a person other than the trueperson signed. When a result of signature verification indicates thatthe degree of difference falls within the gray zone, re-signing isrequested, and signature verification is performed again for the newsignature. On the basis of a result of the signature verification, asigner is judged to be a true person or a person other than the trueperson. For example, when the result of the signature verification forthe new signature indicates that the degree of difference falls withinthe other-person exclusion region, the signer is recognized to be thetrue person, and when the result indicates that the degree of differencefalls within the true-person exclusion region, the signer is recognizedto be another person. When the degree of difference again falls withinthe gray zone, a judgment is automatically performed again. In thiscase, the signer is preferably judged to be another person if importanceis placed on strictness.

The present invention employs a method for performing total judgment byuse of a concept of security level and a concept of gray zone in arelated manner such that the judgment for the gray zone is changed inaccordance with the security level. This point will be described indetail in relation to an embodiment.

In the above-discussion, passage or failure of a verification test(whether the signer is a true person or not) is determined on the basisof a region in which the degree of difference falls. However, thefollowing point must be considered in relation to verification signaturedata. Since writing-pressure information varies depending on theperformance of an electronic pen or electronic tablet used for signing,differences in input characteristics must be corrected in the case inwhich verification signature data include not only shape but alsowriting pressure, as in the present invention.

In general, as shown in FIG. 5, a proportional relationship existsbetween actual writing pressure and measured writing pressure as readfrom an electronic pen or electronic tablet. When electronic tablets orpens A, B, and C output measured writing pressures p_(A), p_(B), andp_(C), respectively, for actual writing pressures p, correction valuesα_(A), α_(B), and α_(C) for the measured writing pressures p_(A), p_(B),and p_(C) with respect to a measured writing pressure p_(N) from areference electronic tablet or pen N are represented as follows:α_(A) = p_(A)/p_(N) α_(B) = p_(B)/p_(N) α_(C) = p_(c)/p_(N)

When the relationship between actual writing pressure and measuredwriting pressures can be approximated by use of straight lines as shownin FIG. 5 and the lines pass through the origin O, the correction valueα is constant regardless of the value of p. Therefore, measured writingpressure can be corrected by use of a correction value obtained from theabove expressions. That is, when a writing pressure Ps which is appliedon an electronic pen or tablet S at a certain time and which isrepresented by verification signature data is represented as follows:

PS=(x _(st) , y _(st) , p _(st))

a corrected writing pressure Ps′ is represented as follows:

Ps′=(x _(st) , y _(st) , p _(st)·α_(S))

Accordingly, when corrected verification signature data Ps′ are comparedwith corrected registration signature data, verification can beperformed without regard to the type of an electronic tablet or pen tobe used. In the following description, unless otherwise specified, theterm “writing pressure” means measured writing pressure(writing-pressure information). Although correction is performed formeasured writing pressure output from an electronic tablet or anelectronic pen, in the following description such correction will besimply referred to as “tablet correction.”

The above-described tablet correction assumes that the relationshipbetween actual writing pressure and measured writing pressure can beapproximated by use of a straight line. However, when a tablet whosecharacteristics cannot be approximated by use of a straight line isused, a curved-line approximation or a correction table may be used.However, the basic concept is the same as in the case of straight-lineapproximation.

BRIEF DESCRIPTION OF THE DRAWINGS

A more complete appreciation of the present invention, and many of theattendant advantages thereof, will be more readily obtained as the samebecomes better understood by reference to the following detaileddescription when considered in connection with the following drawings,in which:

FIG. 1 is a graph used for description of a cumulative error frequencydistribution (difference distribution) and a true-person exclusion linein the Means to Solve the Problems section;

FIG. 2 is a graph used for description of a relationship betweenstability in signing and a true-person exclusion line in the Means toSolve the Problems section;

FIG. 3 is a graph used for description of a relationship between atrue-person exclusion line and an other-person exclusion line, as wellas a gray zone, in the Means to Solve the Problems section;

FIG. 4 is a graph used for description of the merit of presence of atrue-person exclusion line in the Means to Solve the Problems section;

FIG. 5 is a graph used for description of tablet correction in the Meansto Solve the Problems section;

FIG. 6 shows an exemplary structure of hardware used in an embodiment ofthe present invention;

FIG. 7 is a graph used for description of a method for determining arank in accordance with security level in the embodiment of theinvention;

FIG. 8 is a diagram used for description of a method for separatingcharacters on the basis of writing-pressure information in theembodiment of the invention;

FIG. 9 is a graph related to the embodiment of the invention and usedfor description of a relationship between the number of times of signingand a probability at which the degree of difference successively fallswithin the gray zone;

FIG. 10 is a flowchart showing signature verification processingperformed in the embodiment of the invention;

FIG. 11 is a graph related to the embodiment of the invention and usedfor description of a relationship between the number of times of signingand a probability at which the degree of difference successively fallswithin the gray zone, for the case in which a person other than a trueperson imitates the signature of the true person;

FIG. 12 is a diagram related to the embodiment of the invention andschematically showing an example of a system configuration used forverifying the owner of a credit card through signature verification;

FIG. 13 is a graph related to the embodiment of the invention and usedfor description of a method of treating the gray zone; and

FIG. 14 is a flowchart showing signature verification processing in theembodiment of the invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

Handwritten character recognition according to the present inventioninvolves acquisition of coordinate information and writing-pressureinformation relating to characters to be verified; and arithmeticprocessing of these sets of information. To this end, there are neededmeans for measuring the coordinate information and writing-pressureinformation relating to handwritten characters, and arithmeticprocessing means for processing the thus-obtained sample data. Thecoordinate information and writing-pressure information measured bysampling the written characters at preset time intervals take the formof three-dimensional time-series data. However, these sets ofinformation are preferably represented as data series comprising complexcoordinate series and writing pressure series. The means for measuringthe coordinate information and writing-pressure information comprises,e.g., a stylus pen having a built-in pressure sensor, and a digitizerfor detecting the coordinates of the tip end of the pen.

With regard to the characters used as the standards for verification andcharacters to be collated, data are obtained by means of samplingcoordinate information and writing speed information at equal timeintervals. The thus-obtained data are normalized to correspond to anequal number of sampling points and are further preliminarily normalizedwith regard to position and size. For example, in the case of lateralwriting action, in many cases a pen is moved from left to right. Suchconstant motion may hinder verification of the characters. For thisreason, it is desirable to calculate a uniform stroke component from thepattern and to subtract the thus-obtained uniform stroke component fromthe coordinate information normalized with regard to position and size.

In the present invention, setting of registration signature data isperformed as follows. Writing-pressure information is obtained from anelectronic tablet of a pressure-sensing type and is registered in aserver (see FIG. 6) connected to a terminal via a communication line.Signature verification is performed in the server, and one or morecorrection values for respective tablets are measured in advance andregistered in a master file in the form of a constant value (in the caseof a single constant correction value being used) or in the form of atable (in the case of different correction values being used).

When registration signature data are set, a person who wishes toresister his signature signs a plurality of times in order to createregistration signature data.

Subsequently, there are performed the steps of:

(1) averaging the plurality of signature data sets for registration inorder to calculate a candidate set of registration signature data;

(2) collating the candidate set of registration signature data with eachsignature data set for registration;

(3) when no unacceptable discrepancy is found as a result ofverification between the candidate set of registration signature dataand the signature data sets for registration, treating the candidate setof registration signature data as registration signature data; and

(4) when at least one unacceptable discrepancy is found as the result ofverification between the candidate set of registration signature dataand the signature data sets for registration, repeating steps (1) and(2) in order to find a candidate set of registration signature data forwhich no unacceptable discrepancy is found as a result of verificationwith the signature data sets for registration, and treating thecandidate set of registration signature data as registration signaturedata.

Instead of the above-described method in which data creation is repeateduntil a desired result is obtained, there can be employed a methodcomprising the steps of:

(1) averaging a plurality of signature data sets in order to calculate acandidate set of registration signature data;

(2) collating the candidate set of registration signature data with eachsignature data set for registration;

(3) when no unacceptable discrepancy is found as a result ofverification between the candidate set of registration signature dataand the signature data sets for registration, treating the candidate setof registration signature data as registration signature data; and

(4) when at least one unacceptable discrepancy is found as a result ofverification between the candidate set of registration signature dataand the signature data sets for registration, inputting an additionalsignature data set for registration; forming a plurality of groups eachconsisting of signature data sets for registration selected from theincreased number of signature data sets for registration such that thenumber of signature data sets for registration in each group is lessthan the total number of signature data sets for registration; collatingwith each signature data set for registration a candidate set ofregistration signature data that is obtained by averaging the signaturedata sets in each group; and treating, as registration signature data,the candidate set of registration signature data of the group thatproduces the best verification result.

The registration signature data may be registered as they are or may beregistered together with the type of tablet used. In the former case,signature data are corrected by use of a correction value determinedwith respect to a reference tablet, and the thus-corrected data areregistered as the registration signature data. Therefore, correction ofthe registration signature data during verification processing is notrequired. In the latter case, during the verification processing, theregistration signature data are corrected by use of a correction valuecorresponding to the type of the tablet. The former case is generallyused for registration.

At the same time, a difference distribution (cumulative errordistribution) is measured, and a true-person exclusion line and another-person exclusion line are determined and registered. Further, asshown in FIG. 7, one of three security levels L_(A), L_(B), and L_(C) isset in accordance with the value of the true-person exclusion line.Signatures of a person whose true-person exclusion line falls within thelevel L_(A) are judged to be highly stable and are categorized in rankA; signatures of a person whose true-person exclusion line falls withinthe level L_(B) are categorized in rank B; and signatures of a personwhose true-person exclusion line falls within the level L_(C) arecategorized in rank C. This operation is called ranking on the basis ofsecurity level.

Next, signature verification will be described. The signatureverification is performed on the basis of a cumulative error between theverification signature data and the registration signature data.Calculation for the signature verification is performed in the followingmanner.

Cumulative error D (sum of normalized degrees of difference (in thepresent invention, simply called “degree of difference”)) is calculatedby use of the following Equations 1 and 2. Equation 1 represents thedegree of difference between the m-th character of registrationsignature data A and the corresponding character of verificationsignature data set B. $\begin{matrix}{{d_{s}^{2}(m)} = \frac{\begin{matrix}{\sum\limits_{k = {{Ls}{(m)}}}^{{Le}{(m)}}\left\{ {{\left( {1 - w_{p}} \right) \cdot {{{z_{A}^{*}(k)} - {z_{B}^{*}\left( {\tau (k)} \right)}}}^{2}} +} \right.} \\\left. {w_{p} \cdot {{{p_{A}^{*}(k)} - {p_{B}^{*}\left( {\tau (k)} \right)}}}^{2}} \right\}\end{matrix}}{{{Le}(m)} - {{Ls}(m)} + 1}} & {{Eq}.\quad 1}\end{matrix}$

Equation 2 represents the overall degree of difference of the signature;i.e., a normalized degree of difference obtained through a calculationin which the sum of the degrees of difference for the respectivecharacters is divided by the total number of data points in thecharacters. $\begin{matrix}{{D\left( {A,B} \right)} = \frac{\sum\limits_{k = 1}^{M}{{d_{s}(m)} \cdot \left( {{{Le}(m)} - {{Ls}(m)} + 1} \right)}}{\sum\limits_{k = 1}^{M}\left( {{{Le}(m)} - {{Ls}(m)} + 1} \right)}} & {{Eq}.\quad 2}\end{matrix}$

where L_(s)(m), L_(e)(m) respectively represent the start and end pointsof the m-th character, M represents the number of characters, w_(p)represents a weighting coefficient, τ(k) represents a skew function atthe k-th sample point of the m-th character, and z* and p* respectivelyrepresent normalized positional coordinates and a normalized writingpressure coordinate. The coefficient w_(p) satisfies the followingrelation:

0≦w _(p)≦1.

Through adjustment of this coefficient, the effect of writing-pressureinformation on authentication judgment is varied.

Further, z* represents the following complex coordinates:z^(*) = x^(*) +   y^(*) = SQRT(−1)  (the  square  root  of   − 1).

The skew function τ is a function for minimizing the cumulative error ofhandwritten signature data. The positional coordinates and writingpressure coordinate of the signature data B corrected by use of thisfunction are z*_(B) (τ(k)) and p*_(B)(τ(k)). In other words, thecumulative error can be minimized through selection of a coordinatepoint {(z*_(B)(τ(k)), p*_(B)(τ(k)) of the signature data B thatcorresponds to a coordinate point {(z*_(A)(τ(k)), p*_(A)(τ(k)) of thesignature data A. Each of the writing-pressure information p*_(A)(τ(k)and the writing-pressure information p*_(B)(τ(k)) used here is a valuesubjected to tablet correction.

The number of characters can be obtained from the writing-pressureinformation, an example of which is shown in FIG. 8. As shown in FIG. 8,characters are separated from one another while a portion where thewriting pressure P becomes zero is used as a separation point. However,when the distance between adjacent strokes (e.g., second and thirdstrokes of the second character) is less than a predetermined value, thetwo strokes are regarded as belonging to a single character. The startand end points of each section obtained through separation of charactersare L_(s) and L_(e), respectively, and coordinates (including thepressure component) are provided for each section.

Next, the method for signature verification will be described. In thefollowing description, as shown in FIG. 9, the degree of difference ofan other-person exclusion line is represented by D₁; the degree ofdifference of a true-person exclusion line is represented by D₂; thedegree of difference of verification signature data is represented by D;and security level is divided into level L_(A) or rank A, level L_(B) orrank B, and level L_(C) or rank C (see FIG. 7). Basically, regardless ofsecurity level, judgment is performed as follows.

When D<D₁, a signer is recognized as a true person (passes averification test).

When D>D₂, a signer is recognized as another person (fails theverification test).

The above judgment is natural from the viewpoint of the purpose of theother-person exclusion line and the true-person exclusion line. However,signatures falling in the gray zone are treated in one of differentmanners in accordance with situation and purpose. For example, the grayzone has different meanings for persons having different securitylevels. That is, in the case of a person having a high security level (aperson in rank A in the above-described definition), since the gray zoneitself is present in a region which is hardly invaded or the person'ssignature is less likely to be imitated, the gray zone itself can beregarded a true-person recognition region. By contrast, in the case of aperson having a low security level (a person in rank C in theabove-described definition), the gray zone is a region which theperson's signature is easily imitated, and is therefore regarded another-person recognition region in situations which require strictness.

In view of the above, re-signing is requested when D is not less than D₁and not greater than D₂, and verification is performed again for a newlyinput signature. In this verification, judgment is made in the followingmanner, depending on the security rank (i.e., rank A, B, or C). When thedegree of difference of the newly input signature is represented by D,judgment is performed as follows, regardless of security level.

When D<D₁, a signer is recognized as a true person (passes averification test).

When D>D₂, a signer is recognized as another person (fails theverification test).

However, when D₁≦D≦D₂; i.e., when D falls within the gray zone,different judgment criteria are set for a person whose security level isrank A, a person whose security level is rank B, and a person whosesecurity level is rank C.

(1) For a person whose security level is rank A:

if D₁≦D≦D₂, the person is recognized as a true person.

(2) For a person whose security level is rank B:

if D₁≦D≦D₁+(D₂−D₁)/2, the person is recognized as a true person; and ifnot, the system entrusts an operator to make judgment as to, forexample, whether re-signing must be requested.

(3) For a person whose security level is rank C:

the system always entrusts an operator to make judgment as to, forexample, whether re-signing must be requested.

In the above-described example, an ambiguous expression “entrusting anoperator” is used. However, such operation may be performed mechanicallysuch that when a value of D falls within the gray zone, the signer isrepeatedly requested to sign; and when the value of D enters either thetrue-person exclusion region (in which the signer is determined to beanother person) or the other-person exclusion region (in which thesigner is determined to be a true person), a judgment is made as towhether the signer is the true person or a person other than the trueperson.

That is, mechanical judgment can be performed by means of a judgmentmethod shown in the flowchart of FIG. 10. It is assumed that ranks havebeen determined at the time of creation of registration signature data(but may be modified later). The flowchart shows processing whichembodies the above-described method. The processing will be described ina summarized manner.

For a person whose security level is rank A (a highly stable signer),the gray zone is regarded an other-person exclusion region (in which thesigner is determined to be a true person) to thereby lower the passlevel of the verification test.

For a person whose security level is rank B (an intermediately stablesigner), the value of the other-person exclusion line is increased toD₁+(D₂−D₁)/2 to thereby increase matching rate. However, the signer isrequested to re-sign repeatedly until the inequality D<D₁ or D>D₂ isattained.

For a person whose security level is rank C (unstable signer), thesigner is requested to re-sign repeatedly until the inequality D<D₁ orD>D₂ is attained.

The reason why the signer is requested to re-sign repeatedly so long asthe value of D falls within the gray zone will be described. As shown inFIG. 9, it is assumed that the area of an other-person exclusion regionis S₁; the area of a gray zone is S_(g); the area of a true-personexclusion region is S₂; and S₁, S_(g), and S₂ are normalized such thatS₁+S_(g)+S₂=1. In this case, the area S_(n) (n=1, g, 2) represents theprobability of the degree of difference D of verification signature datafalling within the corresponding region.

Accordingly, when the gray zone is determined to account for 40%regardless of security level, the probability S_(g) ^(m) at which all ofm sets of verification signature data fall within the gray zone is0.4^(m). Therefore, when m=4, S_(g) ^(m) becomes 0.0256, which meansthat only two of about 100 signatures fall within the gray zone.However, since the other-person exclusion region (in which the signer isdetermined to be a true person) for each of ranks A and B is widened,the matching rate increases considerably as compared with the case inwhich judgment is simply made by D<D₁. Since the gray zone is widened,the person whose security level is rank C (unstable signer) may berequested to re-sign repeatedly. However, this is important from theviewpoint of necessity of excluding other persons.

As shown in FIG. 11, a signature of a person imitating a signature of anunstable signature falls within the gray zone for the unstable signatureat a high probability. When the probability (area) of such an imitatedsignature falling within the gray zone is represented by S_(g)′, theprobability of two imitated signatures falling within the gray zone isrepresented by S_(g)′². When S_(g)′=0.05 (=5%), the probability of twoimitated signatures falling within the gray zone is 0.0025, or twosignatures among about 1000 signatures. The probability decreasesexponentially as the re-signing is repeated. When the present inventionutilizing time-series data including writing-pressure information isemployed, it becomes considerably difficult for other persons to imitatea registered signature such that an imitated signature is judged tomatch the registered signature at a probability of 5%. Further, sincethe probability decreases exponentially as the re-signing is repeated,the possibility at which a person other than a true person is recognizedto be the true person is almost zero. This demonstrates the importanceof the gray zone.

The manner of treating the gray zone is not limited to theabove-described manner, and may be modified in accordance with a fieldin which signature verification is used and the purpose of signatureverification. Such an example will be described as an embodiment of thepresent invention.

In an example serving as the embodiment of the present invention,signature verification is performed when a customer shops by credit cardat a store which accepts credit cards. Registration signature data areregistered in a server at the company which has issued the credit card.An electronic tablet of a pressure-sensing type is provided in thestore. Signature data are converted into verification signature data ata terminal and are sent to the server via a communication line. FIG. 12shows the configuration of the system. Different stores may usedifferent types of electronic tablets. However, it is assumed thatcorrection values for different tablets have already been measured andstored in a master file of the server.

When a customer pays for goods or services by used of a credit card, theterminal reads card information from the card. Subsequently, theterminal is connected to the server of the credit company which managesthe card, and the server issues a request for an electronic signature.In accordance with the request, the customer signs. Signature data aresent, as verification signature data, to the server and verifiedtherein, and a result of verification is reported to the terminal. Onthe basis of the verification result, a clerk judges whether thecustomer can use the card.

When the verification result indicates that the degree of difference Dfalls within the other-person exclusion region, the customer isrecognized as a true person, and the credit card transaction ispermitted. When the verification result indicates that the degree ofdifference D falls within the true-person exclusion region, the customeris recognized as another person, and the credit card transaction isdenied. When the degree of difference D falls within the gray zone,re-signing is requested. When a signature produced as a result of there-signing is again judged such that its degree of difference fallswithin the gray zone, re-signing is requested again. When a signatureproduced as a result of the second re-signing is again judged such thatits degree of difference falls within the gray zone, the clerkdetermines whether the credit card transaction is to be accepted ordenied. As described above, the probability of an imitated signaturefalling within the gray zone decreases exponentially through repeatedre-signing. Taking this into consideration, the other-person exclusionregion is widened as the number of times of re-signing increases, inorder to increase matching rate with respect to the true person whileexcluding other persons. That is, as shown in FIG. 13, the gray zone isequally divided into three zones, and the other-person exclusion lineused for judgment is shifted rightward by d each time re-signing isperformed.

FIG. 14 shows a flowchart of the above-described processing. Theprocessing of FIG. 14 is basically the same as that of FIG. 10 exceptthat ranks of security level are not used; the gray zone is divided intothree zones in order to increase matching rate every time re-signing isperformed; and the final judgment is entrusted to the clerk. The reasonwhy the final judgment is made by the clerk is as follows. In the caseof a stable signer, the probability of passing a verification test in anearly stage is high. By contrast, in the case of an unstable signer, hissignatures may involve variation greater than that represented by anactual error distribution (difference distribution registered at thebeginning). In this case, the probability of the true person beingrecognized not to be the true person becomes higher than the probabilityof another person successively imitating the signature in order toillegally use the card. In such case, when the card holder is a regularcustomer and is familiar to the clerk, or when the card holder can beproven to be a true person by means of his ID card or the like, thecustomer is judged to be the true owner of the card. This procedure ispractical for stores.

In the method used in the present embodiment, security level is takeninto consideration only in determining the true-person exclusion line.Therefore, if the gray zone is set to account for the same ratio for aperson having a low security level (unstable signer) and for a personhaving a high security level (stable signer), the degree of differencefalls within the gray zone at the same rate regardless of the type ofperson who signed. This causes a greater problem in relation totrue-person exclusion than in relation to other-person exclusion.Accordingly, the manner of judgment may need to be changed in accordancewith the type of signer, through the above-described methods, such as amethod in which ranking is performed according to security level and amethod in which, for a stable signer the other-person exclusion line isshifted toward the true-person exclusion line in order to narrow thegray zone to thereby widen the true-person recognition region.

Since the gray zone employed in the present invention is considered tobe a fuzzy portion, the gray zone may vary depending on the field inwhich signature verification is used and the purpose of signatureverification. For example, when signature verification is used tocontrol entry into a laboratory having a high level of confidentiality,judgment is preferably performed mechanically as in the examplementioned in the embodiment. By contrast, when a credit card is used ata store having a clerk who can personally identify customers in manycases, there is needed a method in which mechanical or automaticjudgment is combined with judgment by a human. Especially, in the lattercase, provision of a gray zone—which is a fuzzy portion—enables creationof a state in which judgment by a human is performed with ease. However,in this case, it is naturally required that there be devised a method ofsetting a gray zone, as well as a processing method, in order to reducesituations in which judgment must be made by a human.

In a conventional signature verification technique, judgment as towhether a signer is a true person or not has been performed on the basisof the absolute value of a cumulative error (a cumulative error valuewhich is constant regardless of the stability of signatures). Such aconventional method involves a problem in that a person who cannot signstably (an unstable signer) is not recognized to be a true person. Whenan attempt is made to increase the overall matching rate, a line whichis set for a person who can sign stably (a stable signer) and whichprevents other persons from imitating the signature lowers, causing asecurity problem. The concept of security level of the present inventionhas solved these two conflicting problems. That is, the presentinvention employs a true-person exclusion line which changes dependingon security level. Since the true-person exclusion line—which is a passline (a border line (true-person exclusion line) used for recognition ofa true person)—is determined in accordance with the security level orthe stability of a signer, matching rate does not depend on thestability of the signer.

However, since the true-person exclusion line for a person having alower security level (an unstable signer) is set so as to increase thematching rate, it becomes difficult to exclude other persons. In orderto solve this problem, the present invention employs the concept ofcombined use of an other-person exclusion line and a gray zone. Theintroduction of a gray zone, in which judgment as to whether a signer isa true person or not cannot be performed, enables achievement of twoconflicting improvements; i.e., an increase in other-person exclusionrate and an increase in true-person recognition rate.

The conventional signature verification is performed on the basis ofshape only. Therefore, the type of an electronic pen or tablet used forsigning has not be taken into consideration. By contrast, in the presentinvention, writing-pressure information is added to factors of signatureverification. This writing-pressure information prevents a person otherthan a true person from imitating a signature of the true person,because writing pressure is information which cannot be obtained throughobservation of a signature, although the shape of the signature can beobtained visually. The tablet correction according to the presentinvention is used to correct the writing-pressure information andenables use of the signature verification method of the presentinvention regardless of the type of electronic pen or tablet to be used.Accordingly, a user can use a type that the user has grown accustomed toor an inexpensive type. Although the term “tablet correction” is used inthe description, it means “correction of writing-pressure information”and encompasses correction for writing-pressure information from anelectronic pen and correction for writing-pressure information from anelectronic tablet.

What is claimed is:
 1. An electronic signature verification method inwhich data of a handwritten character string of a signer are fetched;registration signature data of the signer set in advance are retrieved;the data of the handwritten character string are compared with theregistration signature data; and a verification judgment is performed byuse of separate regions including a region in which the signature isrecognized to be true, a region in which the signature is not recognizedto be true, and an intermediate region in which re-signing is requesteddue to impossibility of judgment, characterized in that (1) when thesigner sets the registration signature data in advance, the registrationsignature data are set, by appropriate means, from a plurality ofsignature data sets for registration; and (2) the intermediate region inwhich re-signing is requested is determined on the basis of thedistribution of cumulative errors between the registration signaturedata and the plurality of signature data sets for registration, suchthat the intermediate region becomes wider when the distribution is wideand becomes narrower when the distribution is narrow.
 2. An electronicsignature verification method in which data of a handwritten characterstring of a signer are fetched; registration signature data of thesigner set in advance are retrieved; the data of the handwrittencharacter string are compared with the registration signature data; anda verification judgment is performed by use of separate regionsincluding a region in which the signature is recognized to be true, aregion in which the signature is not recognized to be true, and anintermediate region in which re-signing is requested due toimpossibility of judgment, characterized in that (1) when the signersets the registration signature data in advance, the registrationsignature data are set, by appropriate means, from a plurality ofsignature data sets for registration; and (2) the region in which thesignature is recognized to be true and the intermediate region in whichre-signing is requested are determined on the basis of the distributionof cumulative errors between the registration signature data and theplurality of signature data sets for registration, such that the regionin which the signature is recognized to be true becomes wider when thedistribution is wide and becomes narrower when the distribution isnarrow and such that the intermediate region becomes wider when thedistribution is wide and becomes narrower when the distribution isnarrow.
 3. An electronic signature verification system in which data ofa handwritten character string of a signer are fetched; registrationsignature data of the signer set in advance are retrieved; the data ofthe handwritten character string are compared with the registrationsignature data; and a verification judgment is performed by use ofseparate regions including a region in which the signature is recognizedto be true, a region in which the signature is not recognized to betrue, and an intermediate region in which re-signing is requested due toimpossibility of judgment, characterized in that (1) when the signersets the registration signature data in advance, the registrationsignature data are set, by appropriate means, from a plurality ofsignature data sets for registration; and (2) the intermediate region inwhich re-signing is requested is determined on the basis of thedistribution of cumulative errors between the registration signaturedata and the plurality of signature data sets for registration, suchthat the intermediate region becomes wider when the distribution is wideand becomes narrower when the distribution is narrow.
 4. An electronicsignature verification system in which data of a handwritten characterstring of a signer are fetched; registration signature data of thesigner set in advance are retrieved; the data of the handwrittencharacter string are compared with the registration signature data; anda verification judgment is performed by use of separate regionsincluding a region in which the signature is recognized to be true, aregion in which the signature is not recognized to be true, and anintermediate region in which re-signing is requested due toimpossibility of judgment, characterized in that (1) when the signersets the registration signature data in advance, the registrationsignature data are set, by appropriate means, from a plurality ofsignature data sets for registration; and (2) the region in which thesignature is recognized to be true and the intermediate region in whichre-signing is requested are determined on the basis of the distributionof cumulative errors between the registration signature data and theplurality of signature data sets for registration, such that the regionin which the signature is recognized to be true becomes wider when thedistribution is wide and becomes narrower when the distribution isnarrow and such that the intermediate region becomes wider when thedistribution is wide and becomes narrower when the distribution isnarrow.
 5. A recording medium for a computer which stores a program forperforming an electronic signature verification method in which data ofa handwritten character string of a signer are fetched; registrationsignature data of the signer set in advance are retrieved; the data ofthe handwritten character string are compared with the registrationsignature data; and a verification judgment is performed by use ofseparate regions including a region in which the signature is recognizedto be true, a region in which the signature is not recognized to betrue, and an intermediate region in which re-signing is requested due toimpossibility of judgment, characterized in that (1) when the signersets the registration signature data in advance, the registrationsignature data are set, by appropriate means, from a plurality ofsignature data sets for registration; and (2) the intermediate region inwhich re-signing is requested is determined on the basis of thedistribution of cumulative errors between the registration signaturedata and the plurality of signature data sets for registration, suchthat the intermediate region becomes wider when the distribution is wideand becomes narrower when the distribution is narrow.
 6. A recordingmedium for a computer which stores a program for performing anelectronic signature verification method in which data of a handwrittencharacter string of a signer are fetched; registration signature data ofthe signer set in advance are retrieved; the data of the handwrittencharacter string are compared with the registration signature data; anda verification judgment is performed by use of separate regionsincluding a region in which the signature is recognized to be true, aregion in which the signature is not recognized to be true, and anintermediate region in which re-signing is requested due toimpossibility of judgment, characterized in that (1) when the signersets the registration signature data in advance, the registrationsignature data are set, by appropriate means, from a plurality ofsignature data sets for registration; and (2) the region in which thesignature is recognized to be true and the intermediate region in whichre-signing is requested are determined on the basis of the distributionof cumulative errors between the registration signature data and theplurality of signature data sets for registration, such that the regionin which the signature is recognized to be true becomes wider when thedistribution is wide and becomes narrower when the distribution isnarrow and such that the intermediate region becomes wider when thedistribution is wide and becomes narrower when the distribution isnarrow.